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Abstract 



CNI ' It is well-known that degree two finite field extensions can be equipped with a 

Hcrmitian-like structure similar to the extension of the complex field over the reals. 
In this contribution, using this structure, we develop a modular character theory 
and the appropriate Fourier transform for some particular kind of finite Abelian 
groups. Moreover we introduce the notion of bent functions for finite field valued 
Y\ functions rather than usual complex- valued functions, and we study several of their 

properties. In particular we prove that this bentness notion is a consequence of 



that of Logachev, Salnikov and Yashchenko, introduced in Bent functions on a 
finite Abelian group (1997). In addition this new bentness notion is also generalized 
to a vectorial setting. 

Keywords: Finite Abelian groups, character theory, Hcrmitian spaces, Fourier 
transform, bent functions. 
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1. Introduction 

The most simple Hermitian structure is given by the complex field C when 
equipped with the complex modulus z (for z €. C). Although quite simple, this 
structure has many applications in the theory of harmonic analysis of finite Abelian 
groups. Indeed the theory of characters for such groups is explicitly based on the 
existence of a special subgroup of the multiplicative group C* , the unit sphere or 
group of roots of unity 5(C) ={zgC:Iz = 1}. This multiplicative group contains 
an isomorphic copy of each possible cyclic group. Thus it is possible to represent an 
abstract group G as a group G of <S(C)-valued functions that preserves the group 
structure of G, called characters, which is isomorphic to G itself. These characters 
are the group homomorphisms from G to <S(C). Moreover the dual group G is also 
an orthogonal basis for the |G|-th dimensional vector space of C- valued functions 
defined on G. This property makes it possible to carry out a harmonic analysis on 
finite Abelian groups using the (discrete) Fourier transform which is defined as the 
decomposition of a vector of C G in the basis of characters. 

Given a degree two extension GF(p 2 ") of GF(p"), the Galois field with p" el- 
ements where p is a prime number, we can also define a "conjugate" and thus a 
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Hermitian structure on GF(p 2n ) in a way similar to the relation C/R. In particu- 
lar this makes possible the definition of a unit circle S(GF(p 2n )) which is a cyclic 
group of order p n + 1, subgroup of the multiplicative group GF(p 2 ™)* of invert- 
ible elements. The analogy with C/R is extended in this paper by the definition 
of GF(p 2 ™)-valued characters of finite Abelian groups G as group homomorphisms 
from G to S(G¥(p 2n )). But S(GF(p 2n )) does obviously not contain a copy of each 
cyclic group. Nevertheless if d divides p n + 1, then the cyclic group Z^ of modulo d 
integers embeds as a subgroup of this particular unit circle. It forces our modular 

N 

theory of characters to be applied only to direct products of the form G = TT Z^ ni 

where each di divides p n + 1. In addition we prove that these modular characters 
form an orthogonal basis (by respect to the Hermitian- like structure GF(p 2 ™) over 
GF(p™)). This decisive property makes it possible the definition of an appropri- 
ate notion of Fourier transform for GF(p 2 ™)-valued functions, rather than C-valued 
ones, defined on G, as their decompositions in the dual basis of characters. In this 
contribution we largely investigate several properties of this modular version of the 
Fourier transform similar to classical ones. 

Traditionally an important cryptographic criterion can be naturally defined in 
terms of Fourier transform. Indeed bent functions are those functions / : G — > S(C) 
such that the magnitude of their Fourier transform |/(a)| 2 is constant, equals to 
\G\. Such functions achieve the optimal possible resistance against the famous linear 
cryptanalysis of secret-key cryptosy stems. Now using our theory of characters we 
can translate the bentness concept in our modular setting in order to treat the 
case of <S(GF(p 2n ))-valued functions defined on a finite Abelian group G. In this 
paper are also studied some properties of such functions. As a last contribution, we 
develop a vectorial notion of bent functions that concerns maps from G to GF(p 2n ) 1 
that explicitly uses an Hermitian structure of GF(p 2n ) 1 . 

We warm the reader that the new notion of bentness presented hereafter is in- 
troduced as an illustration of this new finite-field valued character theory and its 
associated Fourier transform. The possible connections between usual bent func- 
tions (in particular those with values in a finite- field, see [1]) and our own definition 
are not all made clear in the present contribution. This paper should only be seen as 
a complete presentation of a general framework about modular harmonic analysis, 
given by a modular character theory and an associated modular Fourier transform, 
that should possibly be used for future research to make interesting connections 
with cryptographic Boolean functions. In this contribution we limit ourselves to 
point out that the objects introduced hereafter share many properties with their 
well-known counterparts. Deeper relationships, if they exist, are outside the scope 
of our current work. Nevertheless we mention the important assertion proved in 
this contribution: many usual bent functions in the sense of Logachcv, Salnikov 
and Yashchcnko (see [12]) are also bent functions in our finite-field setting. 

2. Character theory: the classical approach 

In this paper G always denotes a finite Abelian group (in additive representa- 
tion), 0<3 is its identity element. Moreover for all groups H, H* is the set obtained 
from H by removing its identity element (therefore, G* = G \ {0q})- This last 
notation is in accordance with the usual notation N* = N \ { }. 



The character theory of finite Abelian groups was originally introduced in order 
to embed algebraic structures into the complex field C, and therefore to obtain 
geometric realizations of abstract groups as sets of complex transformations. The 
main relevant objects are the characters, i.e. the group homomorphisms from a 
finite Abelian group G to the unit circle 5(C) of the complex field. The set of 
all such characters of G together with point-wise multiplication is denoted by G 
and called the dual group of G. A classical result claims that G and its dual are 
isomorphic This property essentially holds because 5(C) contains an isomorphic 
copy of all cyclic groups. Usually the image in G of a £ G by such an isomorphism 
is denoted by Xa- The complex vector space C G of complex- valued functions defined 
on G can be equipped with an inner product defined for f,g£ C G by 

(/,,?} = £/(#) (1) 

xGG 

where z denotes the complex conjugate of z £ C. With respect to this Hermitian 
structure, G is an orthogonal basis, i.e. 

&a,X/9> = | | G | ifa = /3 (2) 

for a, (3 £ G 2 . We observe that in particular (replacing j3 by Og), 

2>«-{|ci *«-£ (3) 

xea i. i i 

According to the orthogonality property, the notion of characters leads to some 
harmonic analysis of finite Abelian groups via a (discrete) Fourier transform. 

Definition 2.1. Let G be a finite Abelian group and / : G — > C. The (discrete) 
Fourier transform of / is defined as 

/: G -> C 

« -► £/(aOXa(aO. W 

xeG 

The Fourier transform of a function / is essentially its decomposition in the 
basis G. This transform is invertible and one has an inversion formula for /, 



f( x ) = 7777 Yl f( a )Xa{a 



l G L 



(5) 



for each x £ G. More precisely the Fourier transform is an algebra isomorphism 
from (C G ,*) to (C G ,.) where the symbol "." denotes the point-wise multiplication 
of functions, while * is the convolutional product defined for f,g£ (C G ) by 

f*g: G -> C 

a h+ J2f(x)9(-x + a) (6) 

x£G 

Since the Fourier transform is an isomorphism between the two algebras, the trivi- 
alization of the convolutional product holds for each (/, g) £ (C ) 2 and each a £ G, 

(f7g)(a)=f(a)g(a). (7) 

From these two main properties one can establish the following classical results. 



Proposition 1. Let G be a finite Abelian group and f,g £ C G . We have 

^2 f( x )d{x) = |77| 53 /( a )3( a ) (Plancherel formula), (8) 
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Y, l/( x )| 2 = l4 E l/(«)| 2 (PorawoJ eguaizorcj (9) 

where \z\ is the complex modulus of z G C. 

This paper is mostly dedicated to the study of a character theory for some finite 
Abelian groups over some finite fields rather than C. In particular we provide similar 
results as those from this section. Obviously we need an Hermitian structure over 
the chosen finite field. This is the content of the next section. 



3. Hermitian structure over finite fields 

In this section we recall some results about an Hermitian structure in some 
kinds of finite fields. By analogy with the classical theory of characters (recalled in 
section 2), this particular structure is involved in the definition of a suitable theory 
of finite field- valued characters of some finite Abelian groups which is developed in 
section 4. This section is directly inspired from [9] of which we follow the notations, 
and generalized to any characteristic p. 

Let p be a given prime number and q an even power of p, i.e., there is n 6 N* 
such that q = p 2n , and in particular q is a square. 

Assumption 1. From now on the parameters p, n, q are fixed as introduced above. 

As usually GF(g) is the finite field of characteristic p with q elements and by 
construction GF( v / g) is a subfield of GF(g). The field GF(g), as an extension of 
degree 2 of GF( v /g), is also a vector space of dimension 2 over GF(^/q). This 
situation is similar to the one of C and R. As GF(g) plays the role of C, the 
Hermitian structure should be provided for it. Again according to the analogy 
C/R, we then need to determine a corresponding conjugate. In order to do this we 
use the Frobenius automorphism Frob of GF(g) defined by 

Frob: GF(q) -> GF(g) (1Q) 

and one of its powers 

Frob fc : GF(g) -> GF(g) 

X H->- X P . 

In particular Frobi = Frob. 

Definition 3.1. The conjugate of x € GF(q) over GF(^/q) is denoted by x and 
defined as 

X = Frob„(ar) = x p " = x^ . (12) 

In particular, for every n € Z, n\ — n\. The field extension GF (q) / GF (^/q) has 
amazing similarities with the extension C over the real numbers in particular re- 
garding the conjugate. 



Proposition 2. Let xi,X2 £ GF(g) , then 



1. X\ + x 2 = X\ +X2, 



2. —x\ = —xT, 

3. X\X 2 =x~lxi, 

4- X~\ = X\. 

Proof. The three first points come from the fact that Frob n is a field homomorphism 
of GF(g). The last point holds since for each x £ GF(g), x q = x. D 

The relative norm with respect to GF(g)/GF(^/g) is defined as 

norm(a;) = xx (13) 

for x £ GF(g), and it maps GF(<j) to GF( v /g). We observe that norm(x) £ GF( v /g) 
because y/q + 1 divides q — 1, and norm(x) = if, and only if, x = 0. 

The unit circle of GF(g) is defined as the set 

S{G¥{q)) = {x£G¥{q): xx = 1} (14) 

of all elements having relative norm 1. By construction <S(GF(g)) is the group of 
(y/q+ l)-th roots of unity, and therefore it is a (multiplicative) cyclic group of order 
^/q+ 1 since GF(q)* is cyclic and y/q+ 1 divides q — 1. In what follows, S(GF(q)) 
will play exactly the same role as <S(C) in the classical theory of characters. 

Now let GF(g)' be the ^-dimensional vector space over GF(g), then the Hermitian 
dot product of two vectors x = (xi, . . . , xi) and y = (j/i, . . . , yi) of GF(q) z is 

i 
{x,y) = ^T f x i yi . (15) 

Again, this kind of Hermitian dot product has properties similar to the natural 
Hermitian inner product on complex vector spaces. Let a, j3 £ GF{q) and x,y,z £ 
GF(q) 1 , then 

1. ((ace + Py), z) = a(x, z) + P{y, z) {linearity), 



2- (x,y) = (y,x) (conjugate symmetry), 
3. (x,x)£GF( y /q). 

We observe that the canonical basis B of GF(g)' over GF(g) is orthonormal with 
respect to (•,•) ((e, e') — if e ^ e', and (e, e) = 1 for all e, e' £ B), and it is 
clear that for every x £ GF(g)', x = X^e-B^' e ) e ' Nevertheless, contrary to the 
usual Hermitian situation, it may happen that for a non-zero vector x £ GF(q) , 
(x, x) = (for instance, consider the situation where q = 2 2n , and / = 2m). But 
this dot product is non- degenerate: let us assume that for some x, (x, y) = for 
every y, then x = (0, . . . , 0) (to see this it suffices to let y run over the canonical 

/ factors 



basis of GF(q) ). Similarly, by conjugate symmetry, (x,y) = for each x implies 
that y = (0, . . . , 0). Therefore, (•, •) defines a pairing (see [4]). 

/ factors 

I 

Wc denote norm;(a;) = (x, x) = >^ norm(:r) for x € GF(q)', and finally S(GF(q) 1 ) 

%=\ 
is defined as the hypersphere in GF(g) i with center at (0, . . . , 0) and radius 1. 

/ factors 

4. Characters of certain finite Abelian groups over a finite field 

Before beginning some formal developments, one should warn the reader on 
the limitations of the expected character theory in finite fields. In section 3, wc 
claimed that S(GF(q)) is a cyclic group of order y/q + 1. Then for each nonzero 
integer d that divides sfq + 1, there is a (cyclic) subgroup of S(GF(g)) of order 
d, and this is the unique kind of subgroups. As a character theory is essentially 
used to faithfully represent an abstract group as an isomorphic group of functions, 
a copy of such group must be contained in the corresponding unit circle. Then our 
character theory in GF(q r ) will only apply on groups for which all their factors in a 
representation as a product direct group of cyclic subgroups divides yfq + 1. 

Assumption 2. From now on d always denotes an element of N* that divides 

Definition 4.1. (and proposition) The (cyclic) subgroup of <S(GF(g)) of order d is 
denoted by Sd(GF(q)). In particular, <S(GF(g)) = S^q + i(GF(q)). If u is a generator 

of S(GF(q)) then u^^~ is a generator of Sd{GF(q)). 

A character of a finite Abelian group G with respect to GF(g) (or simply a 
character) is a group homomorphism from G to 5(GF(g)). Since a character x 
is S(GF(q))-valued, x(-x) = (x(x))~ l = x(%), norm(x(a;)) = 1 and x(0g) = 1 
for each x G G. By analogy with the traditional version, we denote by G the set 
of all characters of G that we call its dual. When equipped with the point-wise 
multiplication, G is a finite Abelian group. One recall that this multiplication is 
defined as 

Vx,x'eG, xx'-x^ X (x)x'(x). (16) 

As already mentionncd in introduction, wc focus on a very special kind of finite 
Abelian groups: the additive group of modulo d integers Z^ which is identified with 
the subset {0, . . . , d — 1} of Z. 

Theorem 4.2. The groups Z^ and Id are isomorphic. 

Proof. The parameter d has been chosen so that it divides Jq+ 1. Then there is a 
unique (cyclic) subgroup Sd{GF(q)) of S(GF(q)) of order d. Let Ud be a generator 
of this group. Then the elements of Z^ have the form, for j 6 Z^, 

/ Z d -+ Sd(GF( q j) 
*>'■ \ k .-> {u j d ) k = u J d k . [U) 

Actually the characters are Sd(GF(g))-valucd since for each x £ Zd and each char- 
acter x, x( x ) S S(GF(q)) by definition, and satisfies 1 = x(0) = x(dx) = (x( x )) d 



and then x( x ) is a d-th root of the unity. Then to determine a character x G Zd, 
we need to compute the value of x(k) = x(fcl) for k £ {0, . . . , d — 1}, which gives 

X {k)=uf. (18) 

In this equality, we have denoted x(l) by w^ for j £ {0, . . . , d— 1} since x(l) is a d-th 
root of the unity in S(GF(q)). Then the character x belongs to { Xo, ■■■■> Xd-i }• 
Conversely, we observe that for j € {1, . . . , d— 1}, the maps Xj are group homomor- 
phisms from Z^ to <S(GF(g)) so they are elements of Z<j. Let us define the following 
function. ^^ 

* : Zd -4 Zd qqn 

i «-> xj ■ 

We have already seen that it is onto. Moreover, it is also one-to-one (it is sufficient 
to evaluate Xj = ^0) at 1) and it is obviously a group homomorphism. It is then 
an isomorphism, so that Z^ is isomorphic to Z<j. □ 

The isomorphism established in theorem 4.2 between a group and its dual can 
be generalized as follows. 

Proposition 3. Z^ x Z^ 2 and (Z^ x Z<j 2 ) are isomorphic. 

Proof. The proof is easy since it is sufficient to remark that (Z^ x Z^ 2 ) and Z^ x 
Zd 2 are isomorphic. We recall that d\ and d% are both assumed to divide y/q + 1, 
thus Zrfj and Zd 2 exist and are isomorphic to Z^ and Zd 2 respectively. Let ii be 
the first canonical injection of Z^ x Zrf 2 and i2 the second (when Z,^ x Z^ 2 is seen 
as a direct sum). The following map 

(j,. J (Zdj x Zd 2 ) — > Zrfj x Z^ 2 /2Q-) 

\ X ^ (x°»i>X°«2) 

is a group isomorphism. It is obviously one-to-one and for (xi, X2) S ^di x ^<z 2 > the 
map x : (#1,2:2) H> Xit^i^^) is an element of (Z dl x Z d2 ) and $(x) = (xi>X2)- 
Then (Z^ x Z<f 2 ) is isomorphic to Z^ x Z^, since .Z^ and Z^ are isomorphic (for 
z = 1,2). □ 

From proposition 3 it follows in particular that Z™ is isomorphic to Z™. This 
result also provides a specific form to the characters of Z™ as follows. We define a 
dot product, which is a Z^-bilinear map from (Z™) 2 to Zd, by 

m 
x ■ y = ^2 X iVi e Z d (21) 

for x, y £ Z™. Then the character that corresponds to a £ Z™ can be defined by 

(22) 



Xa : %f -► 5„(GF(g)) 



./• 



V/ 



where u,i is a generator of 5d(GF(g)). In particular for each a,x £ Z™, Xa{ x ) 
Xxipt). The following result is obvious. 



N 



Corollary 1. Let G = I I r il^ i be a finite Abelian group for which each integer di 
divides y/q + 1. Then G and G are isomorphic. 

Remark 1. The fact that G = G does not depend on a decomposition of G into 
a direct sum of cyclic groups. But a particular isomorphism of corollary 1 depends 
on the decomposition Y\ i=1 Z™ i of the group G. 

N 

If G = | | Z™ i satisfies the assumption of the corollary 1, then we can also 

4=1 

obtain a specific form for its characters and a specific isomorphism from G to its 
dual. Let a — (a\, . . . , ajv) £ G. 



Xa : G -> S(GF(q)) 

N 
?!,..., X N ) ^ ~[u>Z Xi 



(23) 

X = (Xi 



where for each i £ {1, . . . , N}, u^ is a generator of Sd i (GF(q)). In particular for 
each a,x £ G 2 , we also have Xa( a; ) = Xx(a)- 

Assumption 3. From now on, each finite Abelian group G considered is assumed 

N 

to be of a specific form TT Z™ ; where for each i £ {1, . . . , N}, di divides y/q + 1, 

i=l 

so that we have at our disposal a specific isomorphism given by the formula (23) 
between G and G. 

The dual G of G is constructed and is shown to be isomorphic to G. We may 

also be interested into the bidual G of G, namely the dual of G. Similarly to 
the usual situation of complex-valued characters, we prove that G and its bidual 

are canonically isomorphic. It is already clear that G = G (because G = G and 
G = G). But this isomorphism is far from being canonical since it depends on a 
decomposition of G, and of G, and choices for generators of each cyclic factor in 
the given decomposition. We observe that the map e: G — >• G defined by e(x)(x) = 
x{x) for every x £ G, \ € G is a group homomorphism. To prove that it is an 

isomorphism it suffices to check that e is one-to-one (since G and G have the same 
order). Let x £ ker(e). Then, for all x G G, x( x ) = 1- Let us fix an isomorphism 
a £ G — > Xa £ G as in the formula (23). Then, for every a £ G, Xa(^) = 1 = Xz^) 
so that x = Og- Thus we have obtained an appropriate version of Pontryagin-van 
Kampen duality (see [10]). Let us recall that according to the structure theorem 
of finite Abelian groups, for any finite Abelian group G, there is a unique finite 
sequence of positive integers, called the invariants of G, di,-- ■ ,df G such that di 
divides d i+ i for each i < Iq. Let us denote by !A.b^ +x the category of all finite 
Abelian groups G such that dg G divides ^/q + 1, with usual homomorphisms of 
groups as arrows. From the previous results, if G is an object of 51b ^/q+i, then 

G = G. Moreover, (•) defines a contravariant functor (sec [15]) from Slb/q+i to 
itself. Indeed, if </>: G — >• H is a homomorphism of groups (where G, H belongs to 



SlB /g +1 ), then cf>: H — > G denned by 4>(x) = x o </i is a homomorphism of groups. 
Then, we have the following duality theorem. 

Theorem 4.3 (Duality). The covariant (endo-) functor (•): %h y^+i — > .#6 w^+i *s 
a (functorial) isomorphism (this means in particular that G = G). 

5. Orthogonality relations 

The characters satisfy a certain kind of orthogonality relation. In order to 
establish it we introduce the natural "action" of Z on any finite field GF(p') of 
characteristic p as kx = x + . . . + x for (k,x) G Zx GF(p l ). This is nothing else 

k times 

than the fact that the underlying Abelian group structure of GF(p l ) is a Z-modulc. 
In particular one has for each (k, k' , i) e Z x Z x GF(p l ), 

1. Ox = 0, lx = x and fcO = 0, 

2. (k + k')x = kx + k'x and then nkx = n(kx), 

3. fcl € GF(p), fcl = (fcmodp)l, fc m l = (fcl) m and if fc mod p ^ 0, then 
(fcl)- 1 = (fcmodp)- 1 !. 

In the remainder we identify fcl with k mod p or in other terms we make an explicit 
identification of GF{p) by Z p . 

Lemma 5.1. Let G be a finite Abelian group. For x € G, 

X^O^H flGI modal !fv = l' ^ 



x<£G 



Proof If x = 1, then \~] 1 = {\G\ mod p) since the characteristic of GF(g) is equal 

xec 
to p. Let us suppose that x ¥" 1- Let xo € G such that x(a;o) 7^ 1- Then we have 

x(*o) ^ x(aO = X! x( x o + *) = X! x(y), ( 25 ) 

x£G xGG y£G 

so that (x( x o) — 1) /J x( x ) = and thus >J x( a; ) = (because x( x o) 7^ 1)- □ 

i£G x£G 

This technical lemma allows us to define the orthogonality relation between 
characters. 

Definition 5.2. Let G be a finite Abelian group. Let /, g <G GF(q) G . We define 
the "inner product" of / and g by 

16G 

The above definition does not ensure that (/, /) = implies that / = as it holds 
for a true inner product. Indeed, take q — 2 2 ™, and let /: Z 2 — > GF(2 2 ") be the 
constant map with value 1. Then, (/, /) = 0. Thus, contrary to a usual Hcrmitian 
dot product, an orthogonal family (with respect to (-,-)) of GF(q) G is not necessarily 
GF(q)-lincarly independent. 



Proposition 4 (Orthogonality relation). Let G be a finite Abelian group. For all 
(X1.X2) G G 2 i/ien 

«i.Xa)-| | G | modp ifxi=X2 . ( 27 ) 

Proof. Let us denote X = XiX^ 1 = XiX2- We have: 

(Xi,X2> = 2>(*)- (28) 

If xi = X2, then ^ = 1 and if xi ¥" X2, then % ^ 1. The proof is obtained by using 
the previous lemma 5.1. □ 

Remark 2. The term orthogonality would be abusive if \G\ modp = 0, because 
then y x( x ) = for all \ £ G. Nevertheless we know from the assumption 3 

xeG 
that all the di's divide y/q + 1 = p n + 1. In particular, d% = 1 modp and therefore 
\G\ = Yii d™* is co-prime to p, and the above situation cannot occur, so |G| is 
invertible modulo p. 

6. Fourier transform over a finite field 

In this section is developed a Fourier transform for functions defined on G and 
based on the theory of characters introduced in section 4. There is already a Fourier 
transform with values in some finite field called Matts on- Solomon transform [3] but 
it maps a function / <G GF(q) Zd to a function g <G GF(g m ) Zd where m is the 
smallest positive integer so that d divides q m — 1. In this paper we want our 
Fourier transform to "live" in a finite field GF(q) and not in one of its extensions. 
Moreover the existing transform is not based on an explicit Hcrmitian structure nor 
on a theory of characters. For these reasons, we need to introduce a new kind of 
Fourier transform. 

Let u be a generator of S(GF(q)). Let G be a finite Abelian group and / : G — > 
GF(q). We define the following function. 

/: G — > GF(g) 

X H- ^/(x)x(x). (29) 

xeG 

Remark 3. We warm the reader that we use the same notation / as the one used 
for the Fourier transform of a complex-valued function. From now on only the 
second definition is used. 

iV 

Because G = TT Z™ ; , by using the isomorphism between G and its dual group 

8=1 

4, we can define 

/: G — ► GF(q) 

N 

xeG xeG i=i 

10 
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from section 4, we can define 



Let us compute /. Let a E G. We have 

/(«) = £/(aOx«(aO 

= X^ 1Z f{y)xx(y)x a (x) 

x£Gy£G 

= EE/(^(^«w (31) 

xeGyEG 

= ^2f(y)^2Xa+y{x) 
yEG xGG 

= (\G\ mod p)f (-a) 
The last equality holds since 



if y 7^ — a 

xeG 



J2x a +y(x) 



(\G\ modp) if y = — 



a 



Now if we assume that (\G\ modp) = 0, then it follows that the function f >-¥ f 
is non invertible but this situation cannot occur since from the assumption 3, \G\ 

is invertible modulo p. Therefore we can claim that the function (•) that maps 
/ G GF(q) G to / G GF(q) G is invertible. It is referred to as the Fourier transform 
of / (with respect to GF(q)) and it admits an inversion formula: for / G GF(q) 
and for each x G G. 

f(x) = (\G\ mod p)- 1 J2 /(a)XaR (32) 

a£G 

where (|G| modp) -1 is the multiplicative inverse of (|G| modp) in Z p (this inverse 
exists according to the choice of G) . This Fourier transform shares many properties 
with the classical discrete Fourier transform. 

Definition 6.1. Let G be a finite Abelian group. Let /, g G GF(q) G . For each 
a <E G, we define the convolutional product of / and g at a by 

{f*g)(a) = ^2f(x)g(-x + a). (33) 

x£G 

Proposition 5 (Trivialization of the convolutional product). Let f,g G GF(q) G . 
For each a G G, 

(f^g) («) = /(«)?(«) • (34) 

Proof. Let a G G. We have 

(/*0)(a) = $^Cf "^OOO* ^) 

ieG 

= X! 5Z f(y)g(-y + x)x*{x) 

x£G y£G 

= J2J2 f(v)9(-y + x)x a (y-y + x) (35) 

i£G j/GG 

= X! ^2f(y)9(-y + x )xa(y)xa{~y + x) 

xEGyEG 

= /(")?(") • 

□ 
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We recall that the group-algebra GF(q)[G] of G over GF(g) is the GF(g)-vector 
space GF(q) G with point-wise addition, and with the convolution product. We 
observe that the Fourier transform (■) is an algebra isomorphism from the group- 
algebra GF(g) [G] of G its usual convolution product to GF(q) [G] with the point- wise 
product. Moreover, let (S x ) x& a be the canonical basis of GF(g) G (as a GF(g)-vector 
space), that is, 8 x (y) = if x ^ y and S x (x) = 1. It is easy to see (using a fixed 
isomorphism between G and G) that S x = \x- Because (■) is an isomorphism, this 
means that (xx)xgg is a basis of GF(g) G over GF(<7), and it turns that the Fourier 
transform / of / € GF(q) G is the decomposition of / into the basis of characters 
(we recall here that the fact for a family of elements of GF(g) G to be orthogonal 
with respect to the inner-product (•, •) of GF(q) G does not ensure that the family 
into consideration is linearly independent because (•, •) is not positive-definite). 

We continue to enunciate formulas obtained by considering the decomposition 
into the basis of characters. 

Proposition 6 (Plancherel formula). Let f,g <G GF(q) G . Then, 

J2 !{x)W) = {\G\ mod p)- 1 J2 K*)W) ■ (36) 

x£G a£G 

Proof. Let us define the following functions for any finite group G and any function 
h:G^GF(q), 

I G : G -> G 

X M> —X 

and (37) 

h: G -> GF(g ) 
x M> h(x) . 

Then we have (/ *g o Ig)(0g) = /> f( x )9( x )- But from the inversion formula we 

xGG 

have also 



(f*goI G )(0 G ) = (|G| mod J>)- 1 X)(/*Wg)(«) 

a£G 

= (|G|modp)- 1 ^7(a)(f7iG)(a) (38) 



a£G 

(by the trivialization of the convolutional product.) 
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Let us compute {g o Io)(a) for a G G. 

(goI G )(a) = ^2(g o I G )(x) Xa (x) 
xec 

i6G_ 

= 5Z g(x)xa(-x) 

igg 



i€G 



= 5(a) ■ 
Then we obtain the equality 

(/*3°^) = (|G|modp)- 1 X/(«) 5 ^) (40) 

QgG 

that ensures the correct result. □ 

Corollary 2 (Parscval equation). Let f,g E GF(q) G . Then 

Y^ norm(/(x)) = (\G\ modp)- 1 ^ norm(/(a)) . (41) 

x£G a£G 

In particular, iff is S(GF(q)) -valued, then 

^ norm(/(a)) = (\G\ modp) 2 . (42) 

aSG 

Proof. It is sufficient to apply Planchcrcl formula with g = f ■ □ 

7. Bent functions over a finite field 

Up to now, the following ingredients have been introduced: an Hcrmitian-likc 
structure on degree two extensions, a finite-field character theory for finite Abclian 
groups (of order co-prime to the characteristic), and a corresponding Fourier trans- 
form. All of them may be constituents of a bentness-like notion in this particular 
setting. As already explained in introduction, although we are aware of an existing 
notion of bent functions in finite fields [1], in this contribution we do not make any 
interesting connections with these maps and those introduced below, except that 
they share very similar properties. Nevertheless, we compare the notion of bentess 
due to Logachev, Salnikov and Yashchenko in [12] to our, and we prove that many 
bent functions as defined in [12] are also bent functions in our setting. The notion 
of bentness introduced now serves also as an illustration of our character theory. 
In this section we also prove the existence of functions which are bent in a sense 
presented hereafter. 
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In the traditional setting, i.e., for complex- valued functions denned on any finite 
Abelian group G, bent functions [6, 8, 12, 16, 18] are those maps /: G — > 5(C) such 
that for each a £ G, 

\f(a)\ 2 = \G\ . (43) 

This notion is closely related to some famous cryptanalysis namely the differential [2] 
and linear [13] attacks on secret-key cryptosystems. We translate this concept in 
the current finite-field setting as follows. 

Definition 7.1. The map / : G ->• S(GF(q)) is called bent if for all a E G, 

norm(/(a)) = (|G| modp) . (44) 

7.1. Derivative and bentness 

In the traditional approach the relation with bentness and differential attack is 
due to the following result. 

Proposition 7. [12] Let f:G—> S(C). The function f is bent if, and only if, for 
all a e G* , 

J2 f(a + x)J{x) = • (45) 

xeG 

Similarly, it is possible to characterize the new concept of bentness in a similar 
way. Let /: G — > GF(g). For each a £ G, we define the derivative of f in direction 
a as 

d a f: G -> GF(g) 

x H> f(a + x)f(x) . 
Lemma 7.2. Let f : G ->• GF(q). We have 

1. Mx € G*, f{x) =0^Vae G, /(a) = /(0 G ). 

2. Va e G* , /(a) = <^> / is constant. 
Proof. 1 . 

=>) /(«) = E /WXaW = /(0 G )Xa(0 G ) = /(0 G ), 

<=) According to the inversion formula, 



(46) 



/(«) = (IGlmod^-^/WXa^) 

aeG 

= f(0 G )(\G\ mod py^X-,^) ( 47 ) 

qGG 

= for all x^0 G . 



2. 



>) f{x) = (|G| modp)" 1 J2 ?{0i) X cc{x) = /(0 G )(|G| modp)- 1 , 

a£G 

■-) fja) = y] fix)xa{x) = constant ^ X«(^) = for all o^0 G . 



zgG xeG 
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□ 

Lemma 7.3. Let f: G — > GF(g). We define the autocorrelation function of f as 

ACf. G -► GF(g) 

a H> J2 d ^^ ■ (48) 

x£G 

Then, for all a£G, ACf (a) = norm(/(a)). 
Proof. Let a £ G. 

ACf(a) = Yl AC f( x )x<*(x) 



xeG 

x£G y£G 

= ^2^2f(xy)f(y)x a (xy)xa(y) 

xeG y£G 

= norm(/(a)) . 



(49) 



a 



We use the above results to obtain the following characterization of bentness as 
a combinatorial object using the derivative. 

Theorem 7.4. The function f : G — > S(GF(q)) is bent if, and only if, for all 

aeG*, J2 d °f( x ) = °- 

xeG 

Proof. VaeG*, ^ d a f(x) = 

xGG 

^VaeG*, AC f (a)=0 
^■VaeG, AC~ f {a) = AC f (0 G ) 
(according to lemma 7.2) 
O- Va e G, norm(/(a)) = V" f(x)f(x) 

xeG 
(according to lemma 7.3) 

<=> Va G G, norm(/(a)) = y. norm(/(x)) 

<^ Vcu e G, norm(/(a)) = (|G| modp) 

(because / is <S(GF(g))-valued.) D 

7.2. Comparison between the two bentness notions 

In what follows we refer to the traditional bent functions, as introduced in the 
beginning of section 7, as "bent in the usual sense" , while our own bent functions 
(definition 7.1) are referred to as "bent in the finite-field sense". In this subsection 
we prove that any bent "well-behaved" function in the usual sense is also a bent 
function in the finite-field sense. 

Let U m be the group of complex m-th roots of unity. Let us assume that m 
that divides yfq + 1. Therefore, U m may be identified with the (unique) sub-group 
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of S(GF(q)) of order m. We also remark that for every u € U m , the complex- 
conjugate ZU = cj" 1 , and if the same ui is seen as an element of <S(GF(g)), then 
also ui^ = u;" 1 . Conversely, any sub-group of S(GF(q)) may be identified with 
a sub-group of U ^/q+i- Let us assume that G belongs to M^q +1 . Let us denote 

by G the group of complex-valued characters of G. We have G = G = G. It is 
clear that any complex-valued character of G takes its values in U^+i = S(GF(q)). 

So that for every x G G, and every x g G = G, f(x)x(x) G U^+i = 5(GF(g)). 
Let Z[U^ + i] be the group-ring of U^q+i, and let U^+i be the sub-ring of C 
generated by U/q+i. Let n: ZpU^q+i] — > Uy^+i be the unique ring homomorphism 
such that 7r([a;]) = u for all uj £ Uyq+i (where [•]: U/q+i — > Z[U vg+i] is the 
canonical inclusion). It is clear that as rings U^q+i = Z[U /q+i]/kcr(7r). Similarly, 
let (f>: Z[Uyq+i] — > GF(g) be the unique ring homomorphism such that 0([w]) = w 
for every u G U ^m+i (where uj denotes the image of uj under an isomorphism 
Uyq+i — > 5(GF(q))). It is easily checked that ker(7r) C ker(</>) so that <j> passes to 
the quotient as a ring homomorphism <f>o : U /^+i — > GF(g) such that 4>o(uj) = Co 
for every w G U /q+i (we observe that the restriction of 0o to V/q + i is precisely 
the isomorphism U ^q+i — > S(GF(q)) chosen). We notice that for every integer 
n, (f>o(nuj) = (nmodpjw, and (j>o(uJ) = (w)'v* = w. Now, let us assume that 
/ : G — > U m . Denoting its usual complex-valued Fourier transform by /, we have 
4>o{f) = /■ Let us assume that / is bent (in the traditional meaning), i.e., \f(a)\ = 

\G\ for every a G G. This equivalent to f(a)f(a) = \G\ for every a G G Then, 
norm(/(a)) = </>o(|G|) = |G| modp for every a G G, so that / is bent in this 
finite-field setting. The following result is then proved. 

Theorem 7.5. Let m be a divisor of y/q + 1. Let G be a group in the category 
3l6/q + i. Let f: G — > U m . If f is bent in the usual sense, then it is also bent in the 
finite-field setting sense. 

This result motivates the study of such bent functions in the finite-field sense. 

7.3. Dual bent function 

Again by analogy to the traditional notion [7, 11], it is also possible to define a 
dual bent function from a given bent function. Actually, as we see it below, \G\ must 
be a square in GF(p) to ensure the well-definition of a dual bent. So by using the 
famous law of quadratic reciprocity, we can add the following requirement (which 
contrary to the other assumptions is only needed for proposition 8). 

Assumption 4. If the prime number p is > 3, then \G\ must also satisfy |G|t~ = 1 
(mod p). If the prime number p = 2, then there is no other assumptions on \G\ 
(than those already made). 

According to assumption 4, \G\ mod p is a square in GF(p), then there is at 
least one x G GF(p) with x 2 = \G\ mod p. If p — 2, then x = 1. If p > 3, then we 
choose for x the element (\G\ modp)^. Indeed it is a square root of \G\ modp 
since ((|G| modp) 1 ^ 1 ) 2 = (\G\ modp) 2 * 1 = (|G| (modp))(|G| (modp))^ = \G\ 
(mod p). In all cases we denote by (\G\ mod p) 2 the chosen square root of \G\ mod p. 
Since \G\ modp 7^ 0, then it is clear that this square root also is non-zero. Its 
inverse is denoted by (\G\ modp)" 5 . Finally it is clear that ((|G| modp)" 3 ) 2 = 
(IGlmodp)" 1 . 



16 



Proposition 8. Let f : G — > <S(GF(g)) be a bent function, then the following func- 
tion f, called dual of f , is bent. 

f: G -+ 5(GF(g)) ^ (5Q) 

a h-> (\G\ modp)"5/(a) . 

Proof. Let us first check that / is <S(GF(q))-valued. Let a £ G. We have 



f(a)f(a) = (\G\ mod p)~ * f(a)(\G\ mod p)- * f (a) 

= {\G\ mod py^ormifia)) (51) 

= 1 (since / is bent.) 

Let us check that the bentness property holds for /. Let a £ G. We have f(a) = 
(|G| modp)~i(\G\ modp)f(-a) (according to formula (31)). Then 



f(a)f(a) = (\G\ mod p)f (-a) f (-a) 

= (\G\ mod p)norm(/(— a)) (5 2 ) 

= (|G| mod p) (since / is <S(GF(g))-valued.) 

D 

7.4- Construction of bent functions 

We present a construction which is actually the translation in our setting of 
a simple version of the well-known Maiorana-McFarland construction [8, 14] for 
classical bent functions. 

Let g: G — >• S(GF(g)) be any function. Let / be the following function. 

/: G 2 -> S(GF(q)) 

(x,y) >->■ Xx(y)g{y) ■ 

Then / is bent. We observe that the fact that / is <S(GF(g))-valued is obvious 
by construction. So let us prove that / is indeed bent. We use the combinatorial 
characterization obtained in theorem 7.4. Let a,/3,x,y £ G. Then we have 



d( a ,0)f(x,y) = f(a + x,p + y)f(x,y) 



Xa+x(P + y)g{P + y)xx(y) g{y) 



x<*(P + y)xx(P + y)g(P + y)xx(y) g{y) 



= x a (P)xa {y)xx (P)xx (y)g{P + y)xx(y) g(y) 
= x a {P)x a {y)g{P + y)g{y)xx(P) 

= Xa(P)Xa(y)g(P + y)g{y)xp{x) (because Xx(P) = Xp{x).) 

(54) 
So for (a,P) £ (G 2 )* = G 2 \ {(0 G ,0 G )}, we obtain 



Y d (cx,i3)f{x,y) = Yl x<x{P)xcx{y)g{P + y)g{y)xp{x) 

(x,y)£G 2 (x,y)£G 2 

= x a (P)Y^ a ^9(l 3 + y)9(y)Y x ' :s ^ 

y&G xeG 
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(55) 



The sum YJ Xp( x ) 1S equal to if (3 ^= G and \G\ modp if /? = G (according 

x£G 

to lemma 5.1). Then the right member of the equality (55) is equal to if /3 ^ 

G and (\G\ modp) Xa W) £ X*(y)gW + vW) if j9 = G . So when p ± G , 

y&G 
/_] d( a fi)f(x,y) = 0. Now let us assume that f3 = G , then because (a, 0) £ 
(z,y)£G 2 
G 2 \{(0 G ,0 G )}, a^0 G , we have 

X] d (afi G )f( x ^y) = (\G\ mod p)x a {o G ) ^2 x a (y)g(0G + y)g(y) 

(x,y)eG 2 yGG 

= (|G| modp)J2x a (y) (56) 

yec 
(because 5 is 5(GF(g))-valued) 
= (because a ^ G .) 

So we have checked that for all (a,/?) £ G 2 \ {(0 G ,0 G )}, >J d^ a ^f{x,y) = 

and then according to theorem 7.4 this implies that / is bent. 

8. Vectorial bent functions over a finite field 

In this last section is developed a notion of bentness for GF(g)'-valucd functions 
defined on G called vectorial junctions (this is not the same meaning as in the 
classical literature where it means in general maps from GF(2) m to GF(2)™, see for 
instance [5]). In order to treat this case in a similar way as in the section 7, we first 
introduce a special kind of Fourier transform needed to make clear our definitions. 

8.1. Multidimensional bent functions 

Definition 8.1. Let f:G—> GF(q) 1 . The multidimensional Fourier transform of 

/ is the map f MD defined as 

f MD : G -> GF{qf 

a i-> ^2xa(x)f(x) . ( 57 ) 

l£G 

If I = 1 , then it is obvious that the multidimensional Fourier transform coincides 

with the classical one. Let B the canonical basis of the GF(g)-vector space GF(q) 1 

of dimension I, which is orthonormal for the dot-product (•, •) (see formula (15)). 

Let e £ B. We define the coordinate function f e of/: G — > GF(q) 1 with respect to 

e as 

f e : G -J- GF(q) m 

x h-> (f(x),e) . l * 

Then according to the properties of an orthonormal basis, we observe that 

for each x £ G. Thanks to coordinate functions, it is possible to give a connection 
between the Fourier transform from section 6 and its multidimensional counterpart. 
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Lemma 8.2. For each a £ G, we have 

f MD {a) = y £Ua)e. (60) 



eeB 



Proof. Let a £ G. 



xeG 
= ^^2x<x{x)f e (x)e 



eeB \x£G / 



(61) 



^Je{a)e 

eeB 



u 



Hereafter in this subsection are established some properties for the multidi- 
mensional Fourier transform similar to the corresponding properties of the "one- 
dimensional" Fourier transform. So let / : G — > GF{qy. Let us compute the 
Fourier transform of f MD . Let a £ G. 



-MD 



P" ( a ) = J2x a (x)f MD (x) 
xeG 
= NJ 2_] fe{x)Xa(x)e (according to lemma 8.2) 

xeG eeB 

= E (E £(*)*«(*) J e 

EeB\xeG I 

= J2fe(a)e 

eeB 

= (\G\ mod p) 2_. fe(—oi)e (according to relation (31)) 



eeB 

= (\G\ mod p)/(-a) (according to formula (59)) . 

- X -—~^MD 

The equality f MD (a) = (\G\ mod p)f(—a) will be useful in the sequel. Moreover 
the following inversion formula is proved. 

For all a£G, f(a) = (\G\ modp)- 1 £ ^(ajf MD (x) . (63) 

xeG 

Now, we present a certain kind of Parseval equation in this context. 
Theorem 8.3 (Parseval equation). Let f:G—¥ GF(q) 1 then 

J2 normj(/(s)) = (|G| modp)" 1 ]T norm,(.f MD (a)) . (64) 

xeG aeG 

Iff: G^S{GF(q) 1 ), then 

J2 norm, (/*">(«)) = (\G\ mod pf . (65) 



aeG 



19 



Proof. 

]T]norim(/(a:)) = ^ ^ norm(/ e (x)) 

= (\G\ modpy 1 J2 E nOTm (/e(")) 

eeB a£G 

(according to the Parseval equation applied on f e ) (66) 
= (|G|modp)- 1 EEnorm(/ e (a)) 

aeGeefl 
= (\G\ modp)- 1 £ norm, (?*"> (a)) . 

a£G 

The second assertion is obvious. □ 

It is possible, and even more interesting, to obtain this Parseval equation in an 
alternative way. Let /, g G (GF(q) l ) G and a G G. By replacing the multiplication 
by the dot-product, we define the convolutional product as follows 

(/*ff)(a) = £>(a + *),/(*)) • (67) 

igG 

Since f * g: G — > GF(q), we can compute its one-dimensional Fourier transform 

(/*#)(«) = ^2(f * g){x)x a {x) 

xEGyeG 

= ^2^2xa{x + y)x a (y)(g{x + y)J{y)) 

xeGyeG 

= ^2^2(xa{x + y)g(x + y),xa(y).f(y)) 

x<£Gy<£G (68) 

= ^2C^2x a (x + y)g(x + y),Xa(y)f{y)) 

yeG xeG 

= J2(9 MD (a),x a (y)f(y)) 

yeG 

= (g MD (a),J2x a (y)f(y)) 

= (g MD (a)J MD (a)) . 

It is a kind of trivialization of the convolutional product by the Fourier transform. 
Now let us compute (/ * <?)(0g)- There are two ways to do this. The first one is 
given by definition: (/ * <?)(0g) = E (g( x )i f( x ))- The second one is given by the 

xGG 

inversion formula of the Fourier transform. 



(/*<?)(0 G ) = (|G|modp)- 1 E(777)(a) X o G (a) 

ueG ^ 

= (\G\ mod p)- 1 J2(f*g){a) ( 69 ) 

= {\G\modp)-^{g MD {a)J MD {a)) . 
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Then we have £ (g(x), /(*)} = (|G| mod p)" 1 £ (p MD (a), / MD (a)). 

LC11 

£</(*),/(*)) = (|G| mod p)- 1 2 (/(a), /(a)) (70) 



Now let f = g, then 



i£G aSG 

i.e., 

^ norrm(/(x)) = (|G| modp) -1 ^ norim(/(a)) . (71) 

xeG aeG 

8.2. Multidimensional bent junctions 

In the paper [17] is introduced the notion of multidimensional bentness for T-L- 
valued functions defined on a finite Abelian group G, where W is a finite-dimensional 
Hermitian space. In this subsection, we translate this notion in our special kind of 
Hermitian structure. 

Definition 8.4. Let / : G — >• 5(GF(g) ). The function / is said multidimensional 
bent if for all a G G, norm,(/ MD (a)) = (|G| mod p). 

Lemma 8.5. Let f : G -> GF(g) ; . Then, f(x) = (0, ... ,0) /or oH x G G* i/, and 

I times 

only if, J MD (a) = /(0 G ) /or aH a G G. 



Proo/. =►) / MD (a) = ^ Xa (»)/(») = /(0g) Va G G 

ieg 
4=) /(x) = (|G| modp) -1 2. Xa{ x )f ( a ) (by the inversion formula of the mul- 

a6G 

tidimcnsional Fourier transform). Then by assumption, 

f(x) = (|G| modp)- 1 /^) J2 X-C*) = (°>---> ) 

Z times 

if a; G G*, and /(0g) otherwise. D 

This technical result holds in particular when I = 1 which is lemma 7.2. 

As in the one-dimensional setting, there exists a combinatorial characterization 
of the multidimensional bentness. We define a kind of derivative for GF(g) i -valued 
functions. Another time we use the natural "multiplication" of GF(q)' which is its 
dot-product. 

Definition 8.6. Let /: G — >• GF(q)' and a G G. The derivative of f in direction 
a is defined by 

d a f: G -> GF(q) 

x -> (f(a + x),f(x)) . [<Z) 

This derivative measures the default of orthogonality between f(x) and f(a+x). 

Proposition 9. Let f : G — > 5(GF(g) ). Then, / is 6ent i/ and on/t/ i/ /or all 
a G G*, oQ-(0 G ) = 0. 
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Proof. Let us define the following autocorrelation function 

ACf. G -4 GF(g) 

a >->. d a f(0 G ) ■ 

We have 



(73) 



d a f(0c 


?) = 2J d *f( x )Xo a ( x ) 






l£G 






= X] d <*f( x ) 






xeG 






= £)</(<* + *),/(*)) 






xeG 






= (/*/)(«). 


Let us compute ACf(a). 






AC} (a) = 


y 


)i4C/(a:)xa(a:) 



(74) 



ieG 

= £(/*/)(aOxa(s) 

xeG (75) 

= (/*/)(«) 

= (/ MD (a), / MD (a)) (by the formula (68)) 

= norm, (/*"») . 

Then we have 

Vq e G*, d Q /(0 G ) = 

oVae G*, iC/(«) =0 

<^ Va e G, ACf (a) = j4G/(0g) (according to lemma 8.5) 

^ Va e G, nornn(/ MD (a)) = ACf (pa). 

As i4C/(0 G ) = (/*/)(0 G ) - J2{f(x)J(x)) = ^ norm(/(s)) = (|G| modp) 

i€G x6G 

(since / is 5 (GF(g) )- valued), wc conclude with the expected result. □ 
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